ExploitProtectionSettings.xml is my Windows 10/11 Exploit Protection settings. They are based on a mixture of Microsoft recommendations, requirements from DoD STIGs, and customizations for my own use case.
This repository exists to get my exploit mitigations under version control and consistent across my endpoints. You're free to use these settings, but it is likely to break a lot of programs as I have it set as strict as possible for my use case, and added exceptions where I encounter issues. If you find a compatibility issue with common software, please submit an issue with the mitigation settings required to get it working.
You can download and run Update-ExploitProtectionSettings.ps1 in PowerShell as an admin to automatically apply this policy. Run it again at any time to update the policy with any new changes posted here -- no need to install Git on the endpoint. To manually apply the settings, see the following section.
The settings XML files found here can be applied via PowerShell with the following commands (as admin):
- Verify that the file is valid:
Set-ProcessMitigation -PolicyFilePath .\ExploitProtectionSettings.xml -IsValid
- Apply the policy:ExploitProtectionSettings.xml
Set-ProcessMitigation -PolicyFilePath .\ExploitProtectionSettings.xml
Note that applying settings using this method will not remove existing settings. However, existing settings that conflict with the applied settings will be overwritten.
I find it easier to read and maintain the XML files in the current format, but Get-ProcessMitigation writes the XML with all attributes on the same line. The following are ways you can put attributes on their own line in the XML files.
$settings = Get-Content .\ExploitProtectionSettings.xml
$settings -replace "([A-z`"]{1}) ([A-z]{1})", "`${1}`n `${2}"
In regex replace mode, replace this:
([A-z"]{1}) ([A-z]{1})
With this:
$1
$2
The table below provides a glossary of Process Mitigation-related terms and how they relate to each other throughout the different shells and interfaces.
| Component | XML / PowerShell Name | Exploit Protection App Name | Description |
|---|---|---|---|
| ASLR | BottomUp | Randomize memory allocations (Bottom-up ASLR) | Randomize locations for virtual memory allocations. |
| ASLR | HighEntropy | Don't use high entropy | |
| ASLR | ForceRelocateImages | Force randomization for images (Mandatory ASLR) | Force relocation of images not compiled with /DYNAMICBASE. |
| ASLR | RequireInfo | Do not allow stripped images | |
| BinarySignature | MicrosoftSignedOnly | Code integrity guard | Only allow the loading of images to those signed by Microsoft. |
| BinarySignature | AllowStoreSignedBinaries | Also allow loading of images signed by Microsoft Store | |
| BinarySignature | EnforceModuleDependencySigning | Validate image dependency integrity | Enforces code signing for Windows image dependency loading. |
| CFG | Enable | Control flow guard (CFG) | Ensures control flow integrity for indirect calls. |
| CFG | StrictControlFlowGuard | Use strict CFG | |
| CFG | SuppressExports | (not visible) | |
| Child Process | DisallowChildProcessCreation | Do not allow child processes | Prevents programs from creating child processes. |
| DEP | EmulateAtlThunks | Enable ATL thunk emulation | |
| DEP | Enable | Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages. |
| DynamicCode (ACG) | AllowThreadsToOptOut | Allow thread opt-out | |
| DynamicCode (ACG) | BlockDynamicCode | Arbitrary code guard (ACG) | Prevents non-image backed code, and code page modifications. |
| ExtensionPoint | DisableExtensionPoints | Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as windows hooks. |
| FontDisable | DisableNonSystemFonts | Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system Fonts directory. |
| Heap | TerminateOnError | Validate heap integrity | Terminates a process when heap corruption is detected. |
| ImageLoad | BlockLowLabelImageLoads | Block low integrity images | Prevents loading of images marked with low-integrity. |
| ImageLoad | PreferSystem32 | (not visible) | |
| ImageLoad | BlockRemoteImageLoads | Block remote images | Prevents loading of images from remote devices. |
| Payload | EnableExportAddressFilter | Export address filtering (EAF) | Detects dangerous exported functions being resolved by malicious code. |
| Payload | EnableExportAddressFilterPlus | Validate access for modules that are commonly abused by exploits. | |
| Payload | EnableImportAddressFilter | Import address filtering (IAF) | Detects dangerous imported functions being resolved by malicious code. |
| Payload | EnableRopCallerCheck | Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. |
| Payload | EnableRopSimExec | Simulate Execution (SimExec) | Ensures that calls to sensitive functions return to legitimate callers. |
| Payload | EnableRopStackPivot | Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive functions. |
| SEHOP | Enable | Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during dispatch. |
| SEHOP | TelemetryOnly | (not visible) | |
| StrictHandle | Enable | Validate handle usage | Raises an exception on any invalid handle references. |
| System Call | DisableWin32kSystemCalls | Disable Win32k system calls | Stop programs from using the Win32k system call table. |